Credential phishing has many undesirable outcomes from lost business and data to reputational and legal harm. Small and medium-sized enterprises (SMEs) have responded by deploying the security controls that are readily available on their platforms like multi-factor authentication (MFA). Unfortunately, adversaries’ tactics and capabilities have shifted to where traditional MFA isn’t always enough. …And let’s face it, many people simply dislike using some MFAs.
NIST recognized this issue in its February 2022 paper and cautioned, “All MFA processes using shared secrets are vulnerable to phishing attacks.” The solution is modern authentication, or passwordless authentication, which is stronger and more convenient for users. Use cases can range from securing privileged assets and identities, or simply making it easier for everybody to get work done by eliminating the source of their frustrations with MFA.
JumpCloud and Okta both provide modern authentication via JumpCloud Go™ and Okta FastPass™. They serve a similar purpose, but the implementations are very different. This has real-world impacts on the ease of deployments and determines what’s possible with each platform. JumpCloud also has integrated cross-OS device management while Okta doesn’t. This article draws a comparison between these technologies that SMEs can use as a reference.
What Is Okta FastPass?
Okta FastPass is a passwordless authentication system that works with Okta’s single sign-on (SSO) and MFA products to access web apps. It requires Okta Verify, a mobile app, in order to function, and is available to Okta Identity Engine (OIE) subscribers. Existing customers must upgrade from the Classic Engine to the OIE authentication pipeline in order to use FastPass.
How Does Okta FastPass Work?
FastPass leverages public key infrastructure (PKI) to bind a set of keys to a device. It stores the private keys on a secure crypto-processor such as a Trusted Platform Module (TPM) or Apple’s Secure Enclave. A software keystore is used if a device doesn’t have the requisite hardware. Access requests are redirected from a service provider (SP) to Okta for authentication, and the challenge flows to the Okta Verify app for verification. The app collects various signals from the device and generates digitally signed output using the keystore(s). Okta servers check that payload against policies and the signature to make authentication decisions. The assertions are passed onto the SP if access is granted, or a designated policy action will be taken in response.
Okta’s FastPass Technical Whitepaper outlines all authentication flows.
Benefits and Challenges of Okta FastPass
Benefits
- Admins can use FastPass for passwordless authentication from any device or location into SSO apps.
- Okta FastPass works with several different IdP flows.
- There’s no dependency on Active Directory (AD).
- It’s possible to enforce conditional access to limit access to managed, compliant devices if third-party Enterprise Mobility Management (EMM) or Mobile Device Management (MDM) has been configured for use with Okta’s platform.
- FastPass can be combined with device-level biometrics.
Challenges
- Okta lacks Unified Endpoint Management (UEM); third-party solutions such as JumpCloud must be configured to manage your devices.
- Okta Classic Engine users that have deployed Device Trust must carefully deactivate it in order to adopt FastPass after upgrading to OIE. There’s several caveats during the migration process such as steps that are irreversible.
- Admins must confirm that enabling FastPass doesn’t disconnect remaining Device Trust users that remain enrolled in it to access managed apps. It should also still be possible to enroll new Okta Verify users. Users that are working from unmanaged devices should also be unaffected by these changes.
- Customers must set up a certificate authority (CA) to distribute management certificates to desktop devices. FastPass is a universal Okta feature, but only users that are registered with Okta Verify using devices with a certificate are authorized to use it.
- A mobile app is required for remote users. It can be deployed as a managed app, but that requires having a separate EMM/MDM solution.
Note: Okta doesn’t have Unified Endpoint Management (UEM). It relies on third-party MDM.
What Is JumpCloud Go?
JumpCloud Go enables secure passwordless authentication to JumpCloud-protected web resources on managed devices. Users can verify their identity using device authenticators with biometrics (Apple Touch ID and Windows Hello) versus password sign-in challenges. This improves security by simplifying the user login flow, reducing MFA fatigue, and minimizing password use. JumpCloud Go authentication also satisfies any User Portal MFA requirements.
JumpCloud Go provides instant revocation when a user status changes from “active” to “suspended”. That’s possible because the platform has integrated identity and device management.
How Does JumpCloud Go Work?
JumpCloud Go is built using open web standards. A device user refresh token (DURT) is generated by managed users on managed devices, which in turn grants access to the User Portal and SSO apps. JumpCloud Go supports macOS and Windows devices with specifications for Secure Enclave and Trusted Platform Module (TPM) 2.0.
Note: JumpCloud integrates cross-OS device management with IAM. The platform architecture allows for Go to be extended with more holistic policies and device settings over time.
The prerequisites mandate that a JumpCloud agent has to be installed and running on macOS and Windows devices. At present, a Google Chrome browser with the JumpCloud Go browser extension must be installed. Admins can deploy it manually or by using Google’s Chrome Browser Cloud Management (CBCM). Go is enabled through the centralized Admin Console without additional components. Enabling JumpCloud Go will automatically save it as an MFA factor. Users must configure biometrics on their devices to utilize them with JumpCloud Go.
End users register by clicking “Log in with JumpCloud Go.” The registration flow is a traditional user console login using your organization’s emails and passwords. DURTs are granted every 12 hours, and then users are prompted to verify their identities by using device authentication.
JumpCloud Go vs. Okta FastPass
JumpCloud Go and Okta FastPass serve a similar purpose, but their architectures are different. Those differences influence how the solutions are deployed as well as product use cases. JumpCloud’s platform has integrated UEM, while Okta customers must choose a UEM provider.
Let’s explore some of those differences.
Authentication
- JumpCloud Go uses a DURT to provide passwordless authentication that satisfies MFA requirements for SSO and the JumpCloud User Console. IAM and UEM are integrated, so only managed devices and users are ever registered to use Go. JumpCloud conditional access policies deploy device trust certificates to desktops.
- Okta’s FastPass is built around PKI using components including Okta OIE, and Okta Verify. It works in unison with external UEM to deliver a full solution.
- Okta allows for PIV/CAC cards as a step-up MFA for privileged resources. Using a DURT does not satisfy step-up MFA requirements at this time. However, JumpCloud integrates with device authenticators such as Windows Hello for added security.
JumpCloud has the ability for admins to lockout the whole computer, which effectively locks unauthorized users out of all browsers as well as native apps. Okta’s Universal logout can terminate browser sessions, but is reliant on SSO apps that support it. Okta lacks native endpoint management capabilities.
Deployment
- JumpCloud Go is deployed using a browser extension on managed devices. It’s turned on using the Admin Console.
- Okta admins must deploy Okta Verify apps, configure a CA, and integrate with an external UEM vendor.
- JumpCloud Go will be launched on Linux, pending customer need.
- Okta FastPass supports Android and Apple mobile devices. However, there are some prerequisites.
- FastPass requires a Safari extension in order to work without prompting users. Your MDM provider must support Apple’s Extensible Single Sign-On framework to define extensions for MFA.
Integrated Device Management
- UEM is external to Okta, whereas JumpCloud Go can enforce device management. Subsequently, Okta FastPass doesn’t require devices to be managed.
- The JumpCloud Go credential is secured and tied to login credentials for managed accounts on managed devices. Okta FastPass doesn’t work that way.
- Okta FastPass may be used for desktop single sign-on. JumpCloud Go is available exclusively for User Portal authentication at this time to protect apps and resources.
Licensing
- Customers can get started with JumpCloud Go either by subscribing to the full platform or by selecting JumpCloud’s device management and SSO SKUs.
- There is a $1,500 annual contract minimum in all Okta plans. There may be additional costs to deploy and manage on-premise components. Okta doesn’t provide UEM, which must be obtained separately for a secure device state.
Access JumpCloud’s pricing comparison tool and TCO calculator.
User Experience
- Using a DURT creates a better end user experience with fewer interactive password authentications to access managed resources.
- Both solutions offer configurable session settings.
Get Started With JumpCloud Go
Admins can move more efficiently to secure privileged access from desktops to assets and eliminate MFA fatigue by using JumpCloud Go. JumpCloud’s cross-OS device management makes it possible to restrict access to only managed devices that meet your security baselines.
If you want to learn more about JumpCloud Go just drop us a note or get started with a free trial.